Typogrify - Moderately critical - Cross Site Scripting - SA-CONTRIB-2024-002

Project: Typogrify
Date: 2024-January-10
Security risk: Moderately critical 12∕25
Vulnerability: Cross Site Scripting
Affected versions: <1.3.0

Description

The Typogrify module brings the typographic refinements of Typogrify to Drupal. It provides a text filter and a Twig filter.

The typogrify Twig filter can be used to bypass the Twig auto-escape feature, leading to a persistent Cross Site Scripting (XSS) vulnerability.

This vulnerability is mitigated by the fact that it is only exposed when the twig filter is specifically used in a template to render content.

Solution

Install the latest version:

If you use the Typogrify module for Drupal 10.x, upgrade to Typogrify 8.x-1.3

If you use the typogrify Twig filter provided by this module, then this update may cause double-encoding of text. See the updated README for best practices.